Cortex XDR - Identity Analytics

The `Cortex XDR - Identity Analytics` playbook is designed to handle Cortex XDR Identity Analytics alerts and executes the following: Analysis: - Enriches the IP address and the account, providing additional context and information about these indicators. Verdict: - Determines the appropriate verdict based on the data collected from the enrichment phase. Investigation: - Checks for related Cortex XDR alerts to the user by Mitre tactics to identify malicious activity. - Checks for specific arguments for malicious usage from Okta using the 'Okta User Investigation' sub-playbook. - Checks for specific arguments for malicious usage from Azure using the 'Azure User Investigation' sub-playbook. Verdict Handling: - Handles malicious alerts by initiating appropriate response actions, including blocking malicious IP addresses and revoking or clearing user's sessions. - Handles non-malicious alerts identified during the investigation. The playbook is used as a sub-playbook in ‘Cortex XDR Alerts Handling v2’.

Cortex XDR by Palo Alto Networks · 30 tasks · 12 inputs · 0 outputs

Inputs

  • AlertName — Alert name.
  • alert_id — Alert ID.
  • IPAddress — IP address from the XDR alert.
  • Username — User name.
  • RelatedAlertsThreshold — This is the minimum threshold for Cortex XDR related alerts, based on MITRE tactics used to identify malicious activity by the user in the last 1 day.
  • FailedLogonThreshold — This is the minimum threshold for user login failures within the last 1 day. For example: If this input is set to '30', and the 'Okta - User Investigation' or the 'Azure - User Investigation' sub-playbooks have found 31 failed login attempts - It will classify this behavior as malicious activity. The default value is '30'.
  • OktaSuspiciousActivitiesThreshold — This is the minimum threshold for suspicious Okta activity events by the user in the last 1 day. For example: If this input is set to '5', and the 'Okta - User Investigation' sub-playbooks have found 6 events of suspicious activity by the user - It will classify this behavior as malicious activity. The default value is '5'.
  • AutoRemediation — Whether to execute the remediation flow automatically. Possible values are: "True" and "False".
  • IAMRemediationType — The response playbook provides the following remediation actions using MSGraph Users: Reset: By entering "Reset" in the input, the playbook will execute password reset. Revoke: By entering "Revoke" in the input, the playbook will revoke the user's session. ALL: By entering "ALL" in the input, the playbook will execute the reset password and revoke session tasks.
  • FWAutoCommit — This input determines whether to commit the configuration automatically on PAN-OS devices and other firewalls. Yes - Commit automatically. No - Commit manually.
  • UserVerification — Whether to provide user verification for blocking those IPs. Possible values: True/False. Default: True. False - No prompt will be displayed to the user. True - The server will ask the user for blocking verification and will display the blocking list.
  • InternalRange — A list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, will use the default list provided in the IsIPInRanges script (the known IPv4 private address ranges).

Commands used

ip okta-clear-user-sessions setIncident xdr-get-cloud-original-alerts

Flowchart

yes yes yes Malicious Non-Malicious yes yes yes Start Start Analysis Analysis Is the resource log is Azure? Is the resource log is Az... IP Enrichment - ip IP Enrichment ip Account Enrichment - Generic v2.1 - Account Enrichment - Generic v2.1 Account Enrichment - Gene... Account Enrichment - Generic ... Verdict Verdict Cloud IAM Enrichment - Generic - Cloud IAM Enrichment - Generic Cloud IAM Enrichment - Ge... Cloud IAM Enrichment - Generic Found malicious evidence based on enrichment data? Found malicious evidence ... Investigation Investigation Azure - User Investigation - Azure - User Investigation Azure - User Investigation Azure - User Investigation Found any malicious user activity? Found any malicious user ... Analyst Decision Analyst Decision No Malicious activity identified No Malicious activity ide... Set incident Verdict - setIncident Set incident Verdict setIncident Malicious Activity identified Malicious Activity identi... Set incident Verdict - setIncident Set incident Verdict setIncident Remediation Remediation Should perform remediation actions automatically? Should perform remediatio... Auto Remediation Auto Remediation Okta - Clear user sessions - okta-clear-user-sessions Okta - Clear user sessions okta-clear-user-sessions Should Perform Cloud Remediation? Should Perform Cloud Reme... Cloud Credentials Rotation - Azure - Cloud Credentials Rotation - Azure Cloud Credentials Rotatio... Cloud Credentials Rotation - ... Done Done Manual Remediation Manual Remediation Block IP - Generic v3 - Block IP - Generic v3 Block IP - Generic v3 Block IP - Generic v3 Fetch cloud alert extra data - xdr-get-cloud-original-alerts Fetch cloud alert extra data xdr-get-cloud-original-alerts Okta - User Investigation - Okta - User Investigation Okta - User Investigation Okta - User Investigation Cortex XDR - Get entity alerts by MITRE tactics - Cortex XDR - Get entity alerts by MITRE tactics Cortex XDR - Get entity a... Cortex XDR - Get entity alert... Is Okta integration availale? Is Okta integration avail... Set the Number of related alerts - SetAndHandleEmpty Set the Number of related... SetAndHandleEmpty